The computer company on Monday acknowledged the security hole and said it will provide its customers via email and through its customer support Web site instructions on how to remove the program.
On Sunday, computer programmer Joel Nord posted a blog saying that he was “surprised to see” that the Dell Inspiron 5000 Series laptop which he bought in October this year contained a pre-installed trusted root certificate labeled “eDellRoot.”
A root certificate verifies that a Web site a computer user visits are in fact the site the user intended to access.
Digital certificates use keys to sign and validate that encrypted Internet connections are secure.
While looking into the certificate details in his machine, Nord found this message: “You have a private key that corresponds to this certificate.”
This is bad news because it means a hacker can easily gain access to the key and pose as a legitimate Web site visited by the user and steal personal information data or monitor browsing activity.
“As a user computer, I should never have a private key that corresponds to a root CA,” he wrote. “…Anyone possessing the private key which is on my computer is capable of minting certificates for any site for any purpose and the computer will programmatically and falsely conclude the issued certificate is valid.”
After Nord posted his findings, another user posted a message saying he found the same thing on a Dell XPS 15 laptop he purchased. Subsequent reports said the certificate and private key was also found on an XPS 13 unit, some Inspiron desktop computers, Precision M4800 and Latitude laptop.
Nord likens the security flaw to the Superfish adware bundled by Lenovo into its computers in 2014.
In February this year, the United States Department of Homeland Security advised users to uninstall Superfish and its associated root certificate, because they make computers vulnerable to cyberattacks including interception of passwords and sensitive data.
In a statement to newswire agency Reuters, Dell said it began installing eDellRoot on computers in August.
The move was “related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience,” the statement said. “Unfortunately, the certificate introduced and unintended security vulnerability.”
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…